I’m often asked, “What is the best tool to secure my mobile devices?” My answer is always: “Secure from what?” Unfortunately in the security industry, people equate security with tools, and happily buy technologies with claims of protection instead of determining first as to what do they need to be protected from? But the right way is focus less on the capabilities of technology, and more on the business security requirements. There are many pieces to the mobile security puzzle, such as data protection from unauthorized access, strong credentials, application security, privacy, threat of theft or loss, etc. Each of these has a different approach to manage, and an organization needs to prioritize their requirements before looking for tools.
One way to help prioritize is by making sure you have considered all security areas of control. I’m currently writing a series of blog posts for the Council on Cyber Security, about how to apply the 20 Critical Security Controls (CSC) to mobile security. The 20 CSCs have been developed by leading cyber security thought leaders, and are maintained and updated by the Council on Cyber Security. They include fundamentals of asset and configuration management, vulnerability assessment, malware defenses, application security, restriction of admin privileges, data loss prevention and others. Last week I was on a panel at a SANS Summit in Nashville, Tennessee lead by Tony Sager, who manages the 20 CSC Panel. The 20 CSC are a good complement to ISO 27001 guidelines, NIST cyber security frameworks, or even regulations like HIPAA or PCI DSS. The 20 CSCs gives specific areas of focus, with guidance to measure an organization’s ability to manage the controls, and suggestions for improvement to mature security risk management. It is traditionally applied to enterprise security programs, and fixed-line technology, but it’s directly applicable to mobile security.
Core to all security is developing an understanding of what you have, and what is its current state. As it relates to mobile security, Mobile Device Management plays a key role in this foundation. It also helps with configuration management, keeping the devices up to date, and allowing use of appropriate applications, while preventing unauthorized applications. But when we move down the list to actual protections from application threats, network level threats, or compromising credentials, we need to expand our control to identify tools that can protect the mobile devices. There are risks from threats such as man-in-the-middle attacks while on WiFi networks, to protecting applications from accessing unauthorized data or features of the device. This is where organizations must prioritize their risks to data protection: do I need to use application-specific VPNs? Do I need to incorporate multi-level authentication mechanisms? Do I need to virtualize my current smart card identities? These are all possible technically, but must be integrated into the current security management process, which might not be part of the mobility management process.
It’s not just technical controls, but also about monitoring, management, and response to issues and alerts from mobile devices. Many organizations don’t have the maturity to perform traditional incident response on their mobile workforce, to identify, contain, remediate, and recover from mobile security incidents. Technology supports a process: build the process, and then identify the most appropriate technology to use. So, please follow my series on the Council on Cyber Security site, over the next couple months I’ll delve into many topics like mentioned above to spell out a comprehensive approach to allow organizations to build a framework for mobile security.
– Rick Doten, DMI Chief Information Security Officer (CISO)